News sites should worry about security
Onlinejournalism.com noted today that, according to a Netcraft survey cited in The Register last week, a majority of Web sites are vulnerable to certain kinds of remote exploits identified in IIS and Apache in June. Netcraft estimates that 6 million Apache sites have been upgraded to the newest version of Apache since the June 17 security bulletin, but 14 million have not. That’s in addition to the perhaps 5 million sites that may be vulnerable to the IIS exploit. Of course, I am one to talk since my hosting provider is still running an older version of Apache, and so is the site I work for (although at least the AJC is running it on Solaris, on which the exploit has not yet been shown to be possible). Netcraft’s survey sheds light on what I believe is a lack of enough security on the part of news organizations. Although news sites are understandably hesitant to upgrade because newer versions of the server software might introduce instability or the upgrades might cause a temporary loss of site availability, I think that, if anything, news sites have more responsibility than the average site to make sure their systems are secure. This is not a hypothetical; the New York Times has been hacked several times. The most dangerous type of vandalism could be a “rewriting of history” through the introduction of plausible but false news stories buried somewhere in the site, rather than absurd modifications to the front page that might be more easily discovered by staff and readers. Imagine if the anti-globalization protesters who created gatt.org, a spoof of the true World Trade Organization site, had actually hacked into the WTO’s site and posted their parody there rather than at a separate URL. Since a site's entire look and feel necessarily becomes public in its HTML source code, it would be remarkably easy to create counterfeit news pages. Whether or not hackers post fake news or — what most of them have done in the past — obvious modifications to the site’s front page is not the important issue. What is at issue is whether news sites take enough security precautions. I do not believe the two newspapers that I’ve worked for do. Their FTP servers are not firewalled (which would allow only designated computers to update the site, not any computer on the Internet), they do not use secure FTP, they do not change their passwords often enough, and one site’s password was not robust enough during the time I was working there. The student server my college newspaper is hosted on was compromised in May 2001 by a hacker who obtained a user’s password when it was transmitted via an insecure protocol. The “big” sites I’ve worked for don’t appear to have that much more sophisticated security. Shouldn’t their administrators be more worried?
Update July 19, 2002, 1:25 am: usatoday.com was hacked on July 11. And sure enough, the hackers created counterfeit news stories. I wonder how many hits their front page got in the 15 minutes before someone noticed?